<TeXmacs|1.99.16>

<project|rehash.tm>

<style|<tuple|tmmanual|british>>

<\body>
  <section|Snakeoil: impersonating <abbr|https> servers>

  When Guix tries to downloads from a <abbr|https> URL and a proxy is
  specified, Guix will try to connect to the <abbr|https> server via the
  proxy with the <verbatim|CONNECT> method. This is inconvenient though to
  remirror, as remirror needs to inspect the request URL and perhaps answer
  the request by itself. The <scm|(remirror snakeoil)> module allows for
  impersonating a HTTPS server.

  <subsection|Key management>

  The private key and certificate are generated at build time (with GnuTLS'
  <samp|certtool>), and inserted in the compiled code. This key and
  certificate is not meant to be secret, as remirror is only intended for use
  on loopback (and <samp|guix substitute> doesn't require the proxy to be
  honest).

  <\warning>
    The certificate will expire 8029 years after the Unix epoch when
    generated with <samp|certtool 3.6.15>. Don't forget to upgrade by then!
  </warning>

  <\explain>
    <scm|%snakeoil-private-key><explain-synopsis|Snakeoil private key>
  </explain|This variable defines the private key of the snakeoil certificate
  in use, as a <scm|x509-private-key?>.>

  <\explain>
    <scm|%snakeoil-certificate><explain-synopsis|Public part of Snakeoil
    certificate>
  </explain|Likewise, but for the certificate itself, as a
  <scm|x509-certificate?>.>

  <\explain>
    <scm|%snakeoil-credentials><explain-synopsis|Snakeoil credentials>
  </explain|Likewise, the \<#2018\>credentials\<#2019\> object that can be
  used in some GnuTLS procedures.>

  <subsection|Impersonation>

  <\explain>
    <scm|(impersonate-https <scm-arg|handler> <scm-arg|request-body>
    <scm-arg|response-port>)><explain-synopsis|Impersonate a <abbr|https>
    server>
  <|explain>
    Read from a TLS input-output pair (<var|request-body>,
    <var|response-port>) a HTTP request, and send it to <var|handler>.

    <todo|The code is hanging in the handshake>
  </explain>
</body>

<\initial>
  <\collection>
    <associate|save-aux|false>
  </collection>
</initial>